Ddos 
Attack chain flow diagram | Image: Cisco Talos
A sophisticated cyber espionage campaign has been quietly infiltrating the United States education and healthcare sectors for months. According to a newly released threat intelligence report, researchers at “Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as ‘UAT-10027,’ delivering a previously undisclosed backdoor dubbed ‘Dohdoor'”.
What makes this campaign particularly dangerous is its stealth. The attackers have engineered a novel piece of malware designed to blend seamlessly into normal internet traffic. As the report notes, “Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively”.
In simple terms, DNS-over-HTTPS is a protocol that encrypts website lookups, which usually prevents eavesdropping. However, UAT-10027 is abusing this privacy feature—specifically leveraging Cloudflare’s reputable DNS service—to smuggle instructions in and out of compromised networks without triggering traditional security alarms.
The attack unfolds through a carefully orchestrated, multi-stage process:
-
The Hook: The infection chain begins with social engineering, likely a phishing email designed to trick the victim into clicking a malicious link.
-
The Script: Once clicked, a PowerShell script executes, which then downloads and runs a hidden batch script from a remote server.
-
The Disguise: This batch script fetches the final Dohdoor payload, which is disguised as a legitimate Windows file, often named “propsys.dll”.
-
The Sideload: To actually run the malware without being caught, the attackers use “living-off-the-land” techniques (abusing built-in Windows tools) to sideload the malicious code into legitimate, trusted applications like
Imaging Devices.exe.
To further evade detection, the malware utilizes “NTDLL unhooking”—a complex evasion maneuver that blinds Endpoint Detection and Response (EDR) security software from seeing the malware’s deeper system interactions.
While UAT-10027 is currently treated as a distinct cluster of activity, researchers have found striking similarities to one of the world’s most notorious cybercriminal syndicates.
The report points out that “The implementation of DNS-over-HTTPS (DOH) via Cloudflare’s DNS service to circumvent traditional DNS security, along with the process hollowing technique… were observed in the tradecraft of the North Korean APT actor Lazarus”. Furthermore, both groups share an affinity for the same highly specific evasion techniques and coding quirks.
Interestingly, targeting education and healthcare deviates from the Lazarus Group’s typical focus on cryptocurrency heists and defense contractors. However, other North Korean state-sponsored groups, such as the operators of the Maui ransomware and the Kimsuky APT, have a documented history of attacking these exact same sectors. This overlap suggests that UAT-10027 might be sharing tools and tactics within the broader North Korean cyber apparatus.
For defenders in the healthcare and education sectors, the discovery of Dohdoor is a reminder to closely monitor encrypted DNS traffic and scrutinize the behavior of trusted, built-in Windows applications.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
